New IE 0-Day, Not Acrobat, Named Vector in the Google Attacks

This site may earn affiliate commissions from the links on this page. Terms of use.

New evidence points to a previously unknown vulnerability in Internet Explorer as the hole through which criminals recently attacked Google and other companies, rather than a known, but unpatched vulnerability in Adobe Acrobat and Reader, as had previously been claimed.

Microsoft has issued an advisory for the new vulnerability in IE listing every currently supported version except IE5 on Windows 2000 as vulnerable. As described by Microsoft: "It is possible under certain conditions for [an] invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."

Protected Mode in IE7 and IE8 in Windows Vista and Windows 7 "limits the impact of this vulnerability." This means that the exploit code runs in the unprivileged context of IE, and can't likely do much damage.

If not running in Protected Mode, the attack code runs with the same privileges as the logged-in user, so running them as a standard user can limit the impact of the vulnerability as well.

Users running on Windows Server 2003 and 2008 run, by default, in Enhanced Security Configuration and limiting the impact for sites not in the Windows Trusted Sites zone.

HTML e-mail in Outlook, Outlook Express and Windows Mail opens in the Restricted Sites Zone, which prevents scripting and ActiveX controls, which Microsoft says should mitigate the attack. Unsurprisingly, this is a clue that the vulnerability is invoked through scripting and/or ActiveX controls.

Microsoft says that they are aware of "limited, active attacks attempting to use this vulnerability against Internet Explorer 6." This is worded interestingly, in that we have been led to believe that many companies were attacked and surely some of them use IE7 or IE8 on Windows XP (on Vista or Windows 7 the attacks would be blocked by Protected Mode). Perhaps the vulnerability is easier to exploit through IE6 than through more recent versions. It wouldn't be the first time that happened.

Just yesterday analysts, VeriSign iDefense among them, were claiming with certainty that the most recent PDF vulnerability, just patched by Adobe, was the vector used in the attacks. It was so easy to believe that this was the case because PDF vulnerabilities are a popular and growing vector for attacks and lend themselves well to targeted attacks.

Adobe points to a McAfee Security Insights blog entry that names the mass-attack "Aurora" and states that they have analyzed "several pieces of malicious code" involved in the attack. It seems it was they who identified the new IE 0-day and reported it to Microsoft. They confirm that all versions of IE are vulnerable, but only IE6 was targeted.

Incidentally, in their advisory Microsoft thanks these companies for working with them and providing details:

MANDIANT is an threat management and incident response company which, it would seem, worked with Google on the incident. You know who the other companies are and what roles they played.

Clearly there is still a great deal about these attacks that is not yet public and we need to refrain from jumping to conclusions. Adobe's role in this, for example, could easily be just another victim of the attack, an attack which they claim was largely thwarted. We can also say, based on what we know so far, that the standard best practices advice we always give would have gone a long way towards repelling these attacks: Run current versions of operating systems, browsers and other key software and employ multiple levels of defense. There were already, for example, no end of good reasons not to run IE6 anymore, but now you have one more.